ScienceLogic Root Cause Timeline Widget

Download this manual as a PDF file

Features

  • Automatically adds Root Cause reports in ScienceLogic SL1. This allows you to see details of root cause in any SL1 dashboard.
  • The Root Cause Timeline widget in SL1 dashboards displays suggestions, accepted and custom alerts, and the Skylar Automated RCA "word cloud" with summary root cause analysis (RCA) based on the relevant logs associated with the suggestions and alerts.
  • This leads to faster Mean Time to Resolution (MTTR) and less time manually hunting for root cause.
  • Requires SL1 12.1.0 or later.

How It Works

The recommended mode of operation for observability dashboard integrations is to use the Skylar Automated RCA Auto-Detect mode as an accurate mechanism for explaining the reason something went wrong. In this mode, you continue to use your existing rules, alerts, and metrics as the primary source of problem detection.

You can then review Skylar Automated RCA report findings directly in your SL1 dashboards alongside other metrics to explain the reason behind the problems for which you were alerted.

Configuring the Root Cause Timeline Widget in SL1

For Skylar Automated RCA users, a Root Cause Timeline visualization is available on the Dashboards page in SL1. This widget visualization lets you see when the Skylar AI detects a possible or confirmed issue. When you hover over an icon for a suggestion or an alert in the widget, a pop-up displays a title and a word cloud that contains additional information about the likely root cause based on the relevant logs associated with the issue.

You can click the icon for a suggestion or an alert on the Root Cause Timeline visualization to go to the Skylar Automated RCA user interface, where you can access further details and perform optional customizations on the Root Cause Report page.

The Root Cause Timeline widget is specific to "AIML Predictions" widget types only.

If you selected Root Cause Timeline as the visualization, complete the following fields:

  • Title. Enter a title for the widget.

  • Skylar Automated RCA Connection ID. Enter the unique connection ID from Skylar Automated RCA, which you can find by creating a service connection between SL1 and Skylar Automated RCA. The value appears on the Service Connections page (Manage > Service Connections) in the SL1 user interface. For more information, see Configuring a Skylar Connection for the Root Cause widget.

  • Skylar Automated RCA Service Groups. Enter the name or names of the service groups in Skylar Automated RCA that you want to monitor with this widget. If you have more than one service group, separate the names with commas. If you want to view sample alerts for troubleshooting purposes, include the "integration_test" service group here. If you leave this field blank, the widget will include all of the service groups. Optional.

    If you try the sample alert feature, make sure to add the special integration_test service group to this field.

For more information about using the Root Cause Timeline visualization with "AIML Predictions" widget types, see Using the Root Cause Timeline Widget.

Configuring a Skylar Connection for the Root Cause Timeline Widget in SL1

For Skylar Automated RCA users, a Root Cause Timeline visualization is available on the Dashboards page in SL1. This widget visualization lets you see when the Skylar AI detects a possible or confirmed issue. When you hover over an icon for a suggestion or an alert in the widget, a pop-up displays a title and a word cloud that contains additional information about the likely root cause based on the relevant logs associated with the issue.

You can click the icon for a suggestion or an alert on the Root Cause Timeline visualization to go to the Skylar Automated RCA user interface, where you can access further details and perform optional customizations on the Root Cause Report page.

The Root Cause Timeline widget is specific to "AIML Predictions" widget types only.

Connecting Your Skylar Automated RCA Instance to the Root Cause Timeline Widget

To establish communication between Skylar Automated RCA and the Root Cause Timeline widget in SL1, you will need to create a service connection, which enables communication between SL1 and Skylar Automated RCA.

This is a two-part process:

  1. Create an "SL1 Enhanced (12.x)" integration in the Skylar Automated RCA user interface.
  2. Use the data from that integration to create the service connection in SL1.

Creating a Dashboard Widget Integration in Skylar Automated RCA

You will need credentials for logging in to Skylar Automated RCA to create the following integration.

To create an "SL1 Enhanced (12.x)" integration in Skylar Automated RCA:

  1. Log in to your Skylar Automated RCA instance.
  2. Go to the Integrations & Collectors page (Settings () > Integrations & Collectors) and click the SL1 Enhanced (12.x) button in the ScienceLogic section. The Integrations dialog appears.
  3. Click Create a New Integration. The Create Integration dialog appears.
  4. On the General tab, complete the following fields:
  • Integration Name. Type a name for the widget.
  • Deployment. Select the Skylar Automated RCA deployment that you want to monitor.
  1. Click Save. The Your Integration Info dialog appears, with a summary of the key values for the widget integration.
  2. Make a note of each value, as you will use all three values when creating the service connection in SL1. You can click each value to automatically copy that value.
  3. Click OK. The new integration is added to the ScienceLogic Integrations dialog.

Creating a Service Connection in SL1

After you create the ScienceLogic integration in Skylar Automated RCA, you will have the data you need to create the service connection in SL1.

To refer to this data in the Skylar Automated RCA user interface, go to the Integrations & Collectors page (Settings () > Integrations & Collectors) and click the SL1 Ehanced (12.x) button in the ScienceLogic section, and then click the edit icon () for that integration. The Edit dialog displays all the relevant data you need for this procedure.

To create a Skylar Automated RCA service connection in SL1:

  1. In SL1, go to the Service Connections page (Manage > Service Connections).

  2. Click Add Service Connection. The Create Connection window appears.

  3. Complete the following fields:

    • Name. Type a name for this new service connection.
    • Access Token. Add the Access Token value from the Your Integration Info dialog or the Edit Integration dialog. You can also access this information on the Access Tokens page (Settings () > Access Tokens) in the Skylar Automated RCA user interface.
    • Skylar Automated RCA Endpoint URL. Add the Endpoint URL value from the Your Integration Info dialog or the Edit Integration dialog. Skylar Automated RCA Cloud users can use the default value in this field, while Skylar Automated RCA On Prem users will need to add the URL of their on-premises Skylar Automated RCA instance.
    • Skylar Automated RCA Deployment ID. Add the Deployment ID value from the Your Integration Info dialog or the Edit Integration dialog.
    • Share data with. Select the All Organizations toggle (turn it blue) to share with all existing and new organizations when you create them. Alternately, you deselect the All Organizations toggle (turn it gray) and select one or more organizations from the Selected Organizations drop-down to limit access to this connection to only the selected organizations.
  4. Click Save.
  5. On the Service Connections page, copy the Service Connection ID value from the ID column for the service connection you just created. You will use this value when you create the Root Cause Timeline widget for the "AIML Predictions" widget type.

Creating a Sample Alert for the Widget

To create a sample alert to display on the new widget, you will need to add the "integration_test" service group in the "SL1 Enhanced (12.x)" integration in the Skylar Automated RCA user interface. You will not see the sample alert in SL1 unless you configure the connector or widget to include the "integration_test" service group.

  1. In the Skylar Automated RCA user interface, go to the Integrations & Collectors page (Settings () > Integrations & Collectors) and click the SL1 Enhanced (12.x) button in the ScienceLogic section. The Integrations dialog appears.
  2. Click the edit button next to the integration with SL1 that you created earlier.
  3. Make sure that one of the service groups in the Service Groups drop-down includes integration_test. The Create Sample Alert button creates an alert in the integration_test service group.
  4. Click Save.
  5. After you update the service group, you can click Create Sample Alert to test your settings. If your settings were correct, a sample alert will display on the Alerts page in the Skylar Automated RCA user interface.

Using the Root Cause Timeline Widget

The main section of the Timeline widget contains a time-based chart with different icons that represent the following Skylar Automated RCA elements:

  • Suggestion (). A yellow diamond represents a suggestion, or a potential problem found by the Skylar AI. When you click a yellow diamond, the RCA Report page for that suggestion opens in the Skylar Automated RCA user interface. On that page, you can choose to accept or reject that suggestion. 
    • If you accept the suggestion, Skylar Automated RCA will create a rule for the settings for that suggestion in the future.
    • If you reject the suggestion, Skylar Automated RCA will no longer show a suggestion with the same settings as that suggestion in the widget.
  • Accepted Alert (). A green circle represents an accepted alert, a suggestion that you or another Skylar Automated RCA user has accepted.
  • Custom Alert (). A blue triangle represents a custom alert, which you or another user defined by writing a regular expression in Skylar Automated RCA that searches for a specific pattern.

When you hover over an icon in the chart, a pop-up window appears with date and time information about that specific suggestion or alert, along with a title and word cloud that contains suggestions and information about the likely root cause.

The Timeline widget also includes the following graphical elements:

  • Spike. A gray vertical line appears on the widget if there are too many suggestions or alerts to show for a specific time. You can click and drag on the spike to zoom in so you can see all of the suggestions for that specific time. Click Reset zoom to go back to the default view settings.

  • Log Lines timeline. Hover over this gray line to view a pop-up window that displays the number of log lines that have been ingested within this time interval.

  • Rare Events timeline. Hover over this red line to view a pop-up window that displays the number of events marked as rare, such as possible issues or problems, that have been ingested within this time interval. Rare events are often the most diagnostic anomalies in the logs.

Working with Suggestions in the Skylar Automated RCA User Interface

You can click the icon for a suggestion or an alert on the Timeline widget to go to the Skylar Automated RCA user interface, where you can access further details and perform optional customizations on the Root Cause Report page.

For more information about what you can do on the Root Cause Report page, see Root Cause Reports in the Skylar Automated RCA Product Documentation.